Advanced Plus Security Syrinx Security Config 2020

Last updated
Jan 1, 2020
Windows Edition
Enterprise
Log-in security
Security updates
Check for updates and Notify
User Access Control
Always notify
Real-time security
None
Firewall security
Microsoft Defender Firewall
About custom security
Group Policy: See Message for details
MemProtect: See Message for details
Pumpernickel: See Message for details
Periodic malware scanners
My brain, debugger & occasionally IDA.
Malware sample testing
Browser(s) and extensions
Firefox ESR
Firefox Multi-Account Containers
HTTPS Everywhere
NoScript
uBlock Origin
Maintenance tools
cleanmgr.exe
defrag.exe
dism.exe
File and Photo backup
Bvckup2 (Live)
System recovery
Acronis True Image (USB only)
Risk factors
    • Gaming
    • Browsing to popular websites
    • Streaming audio/video content from shady sites
    • Downloading malware samples
    • Working from home
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
ASUS, None of your business
x64 CPU, None of your business
2GB GPU, None of your business
16GB RAM, None of your business
Too many to list and also none of your business

Syrinx

Level 1
Thread author
Dec 31, 2019
12
Heavy reliance on Group Policy including AppLocker , management and enforcement of the Windows Firewall with all inbound & outbound connections blocked by default (and Allow local firewalls rules set to NO), running of Startup/Shutdown & Logon/Logoff scripts and of course Administrative Templates for both Computer and User Configurations.

I make decent use of the Windows 10 Exploit Protection settings, eg those you can alter under Windows Security > App & browser control but do not use Windows Defender or SmartScreen.

Each internet facing app, and even some that have no internet connection, runs under its own standard user account via scripts (stored in a folder with only Admin/System NTFS Permissions alongside an extra set of block rules for Pumpernickel when active) and PsExec with Group Policy set to deny elevation requests.

Each 'user' is allowed to only use the exe, or dlls associated with it via the related AppLocker Rules. My DLLs rules are a tad more lenient allowing all signed or system folder based dlls to be allowed by default (though it does have a list of path based exceptions along side some others like lxssmanager and system.management)

Updates to Windows are done manually via the MS Catalog downloads. This is partially so that I have time to test them first in a VM and cut off any obvious issues and partially to avoid excessive service/svchost allowances during normal use.

Updates to apps (currently only excluding Steam-with no service installed) are done manually or by installing the updated setup files in a VM and copying the related files over as needed.

I also make use of two drivers, MemProtect and Pumpernickel for increased Memory and File based privacy/security.
MemProtect is set to [#DEFAULTALLOW] eg blocking everything by default. While Windows Medium Integrity is already fairly well isolated from High and above I like the added isolation this allows me to accomplish by preventing each App from reading or messing with any other apps memory which is also running as a Standard user.

Pumpernickel is a tad more laid back but seeing as I store about all the related apps and their data in specific folders on a certain drive I was able to create some broad rules for those locations then add !priority rules to give them access to the relevant areas while keeping them blocked from everything else. If it had an option to disable DefaultAllow I would have likely spent the time in a VM setting rules for the OS first then simply adding more like I did with MemProtect but....

The final layer I use is also my first in the scheme I have set up: Unified Write Filter
Group Policy is set via scripts to check if the Unified Write Filter is active at startup, then it double checks the BFE, Windows Firewall and AppLocker service. If they are all running it then runs other scripts which create the user accounts used to launch the internet related apps as described above along with various event based tasks, eg the termination of C:\path\this.exe which in turn run other scripts set to RMDIR the related user/apps folder and clean the registries ProfileList of the related SID also. Outside of ProgramData or other areas 'excluded' in my setup this allows me control what gets saved and restored though I admit it can be a pain in the butt to set up initially.
If the scripts detect that the UWF, BFE, Firewall or AppID are not running no NICs are activated and nor are any accounts or tasks created. This is normally because I've disabled the UWF and rebooted in order to apply some .cab file updates via dism.

All NICs are disabled during the logoff phase regardless of UWF, etc.

Then there is perhaps what it likely to be my most controversial changes that I expect to take some flak for.
I run as the built in Administrator, yes that Super Admin account without the UAC prompts!
But wait, before you start spitting on me take a second look at my setup as already stated and then note that doing this allows me to prevent non-elevated admins (who run at medium integrity, eg as SuA, so far as the OS is normally concerned until an elevation) from being able to read other areas where I have made NTFS Permission changes removing even the normal User Read rights among others. I also have my 'drunk rules' which prevent my admin account from launching anything in my download or user set areas along with some others.

Also please note that the NONE entries for the backups are there because they vary quite a bit.
I only backup my OS when I do a fresh offline install.
My 'Data' backups via Bvckup are all different, depending on the area and importance I place on it.

The VMs referenced above vary on occasion but more often than not these days I default to a Windows 10 LTSC 1809 x64 image run on VMWare Workstation 15.x.x to increase the likelihood of catching issues that might appear on my live system during testing. I also heavily test potential live system changes in the VM rather often to avoid surprises.

Also the Last Changes isn't exact. It was about the start of the 2019 year when I ditched SBIE but took almost a month to get things working fully as intended and booted between two OS until that was satisfactorily done.

I also use some custom .infs and lgpo.exe to 'disable\remove Windows related things and even more scripts/regs to tweak or disable stuff post install and post update that aren't 'removed' this same way. That's all a bit complex and while not directly related to security I think it may count as it disables or removes access to potenial attack vectors (except to Trustedinstaller) in most cases. Here's a bit more detail on what I do on that front:
 
Last edited:

Syrinx

Level 1
Thread author
Dec 31, 2019
12
Have been testing a new type of manual hardening of some services by flipping the LaunchProtected option on for most svchost instances (that are normally running on my machine) for a couple months now. When i first tried this in a VM some were unable to function properly or caused other services to fail but I'd guesstimate about 85% of the normally active svchost instances (on my system) are now running under PPL. This is a bit of a redundancy considering Vista+ ssdls and MemProtect but once I sorted out all the failures in the VM and moved to my live system to start this test I have yet to see any new issues as a result and finally decided to keep it so I figured I should update this as well.
 
  • Like
Reactions: Protomartyr

Syrinx

Level 1
Thread author
Dec 31, 2019
12
I believe my initial tests (I really should revisit it again ~ I suppose) resulted in some issues (even if I can't recall what [or at least Event Log alerts/warnings?]) alongside ACG but I do have other mitigations set for svchost still including CIG, image dependency and disabling of dll extension so that 3rd party dlls can't make it into any svchost instances that way among a couple others.
 

Syrinx

Level 1
Thread author
Dec 31, 2019
12
@Syrinx Did you enabled the GPO mitigation that prevent non-MS signed process to run in svchost?
i did, no issues so far.
Retested ACG in a similar VM earilier and could not find whatever it was that made me disable it before. It could have even just been something in my earlier Win 10 tests and not related to 1809 or later at all. I haven't taken ACG live again yet so I may finally re-encounter my reason for disabling it once I try that...time will tell? I'll try to update you all here if I see it after or even if not but won't make drunken promises.

I also did some sober reading (how dare you make me do that btw!) and realized it wasn't that I hadn't enabled the policy but that it just doesn't exist on my install. I'm using 1809 LTSC to avoid the constant changes and it happens that the addition of that GPO is 1903+ and so all of my lsass and svchost mitigations are applied via HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option changes (normally via the Windblows UI then exported/re-imported at other times)
 
Last edited:
F

ForgottenSeer 823865

@Syrinx tried this?

svc.jpg
 

Syrinx

Level 1
Thread author
Dec 31, 2019
12
I feel stoopid repeating myself this way but mmk
it wasn't that I hadn't enabled the policy but that it just doesn't exist on my install. I'm using 1809 LTSC to avoid the constant changes and it happens that the addition of that GPO is 1903+
Regardless, my VM tests today with ACG didn't result in any obvious issues. I plan to try it live soon then we will see if it was an older Win 10 build issue or something else. I hope it works out, I'm all for better protection so thanks for bringing it up! I'll yell at you (if) I finally see why it didnt' work out the first time but I'm crossing my fingers that it will in 1809+!

Update: Switched ACG for svchost to my live system on earlier as I was already out of UWF mode to fix a silly MS goof (again) [that I just noticed] where after updating .NET it had removed my preferences for "OnlyUseLatestCLR" during the update process (this was the second time). FYI - I added another .reg to handle that for me after every update now along with my other 'restoration' scripts post-update-reboot just to be sure it doesn't interrupt my flow.

I haven't seen any concrete issues related to ACG over most of the day (saw one new error in the event log yet could not reproduce it in VM by adding ACG[related to AppID]) and sadly I still can't recall why it got disabled before. Regardless, thanks for polling me about this @Umbra. I feel a little bit safer today as a direct result of your question making me take another look at the ACG option!
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top